From e6d67390cc3e6282d633370cc269517bc5598c90 Mon Sep 17 00:00:00 2001
From: "Torne (Richard Coles)" <torne@google.com>
Date: Mon, 1 Feb 2016 15:29:42 +0000
Subject: [PATCH] Allow isolated_app to talk to webviewupdate_service.

It's okay for isolated apps to connect to the webview update service to
find out which APK is WebView. This enables isolated renderer processes
to load their code from the WebView APK.

Change-Id: Ia287280a994dbd852b4f630da5548e7b6cf4e08f
---
 isolated_app.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/isolated_app.te b/isolated_app.te
index c27b5474d..6497cf162 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -17,6 +17,7 @@ allow isolated_app app_data_file:file { read write getattr lock };
 
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
 
 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
@@ -40,12 +41,13 @@ neverallow isolated_app property_type:property_service set;
 neverallow isolated_app app_data_file:file open;
 
 # b/17487348
-# Isolated apps can only access two services,
-# activity_service and display_service
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
 neverallow isolated_app {
     service_manager_type
     -activity_service
     -display_service
+    -webviewupdate_service
 }:service_manager find;
 
 # Isolated apps shouldn't be able to access the driver directly.
-- 
GitLab